CIS CSC #7 – Email and Web Browser Protections

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

This control includes ten (10) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

As you likely already know, the human at the keyboard is often where a breach takes place. Attackers have a much higher success rate of breaching a network when they can get an employee to click on a link or divulge information instead of hacking through a public-facing device outright.

These controls can be implemented at the device level, as well as at the network level. You may consider both if you have a large user base with mobile devices such as laptops. Those devices are more likely to be on untrusted networks, meaning the device will use a DNS server provided by the network they are on. Many enterprise grade solutions will allow you to configure DNS settings to always use a trusted source, regardless of what network the device is on.

This control has several really interested technologies to help with implementation, so I wanted to share a few demonstrations. The first is a guide for installing Pi-hole on an Ubuntu host, which could be a virtual machine. This acts as a central blacklist for DNS lookups on your network.

The second video I wanted to highlight covers OpenDNS since this tool has more focus on the enterprise environment, though they do have a home license available. This video is a few years old, but I enjoyed how Eli broke down the configuration on the whiteboard, as well as a tour through the web GUI itself.